CVE-2025-22041 - Vulnerability Details

- ksmbd: fix use-after-free in ksmbd_sessions_deregister()

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in ksmbd_sessions_deregister()

In multichannel mode, UAF issue can occur in session_deregister
when the second channel sets up a session through the connection of
the first channel. session that is freed through the global session
table can be accessed again through ->sessions of connection.

Published: 2025-04-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in ksmbd_sessions_deregister() that can be triggered when a second SMB channel sets up a session while the first channel is still active. The freed session in the global session table can still be accessed through the connection’s session list, leading to kernel memory corruption. Because the code runs in privileged kernel space, an attacker could potentially craft SMB traffic to drive corrupted data into executable paths, allowing arbitrary code execution or a denial‑of‑service by crashing the kernel. The flaw is categorized as CWE‑416.

Affected Systems

All Linux kernels that include the ksmbd SMB server component are potentially affected. The specific release numbers are not listed in the data, but a patch commit is referenced in the kernel git log and a Debian LTS announcement indicates they will be patched in upcoming releases.

Risk and Exploitability

The CVSS score of 8.8 indicates a high impact, but the EPSS score of <1% signals that the likelihood of exploitation in the wild is currently very low. The flaw is not listed as a Known Exploited Vulnerability by CISA, so active exploitation is not confirmed. Attackers would need to reach the PSM server over SMB, either locally on the machine or remotely if the service is exposed, to send crafted requests that exercise the UAF path. No official workaround is supplied by the CNA.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< f0eb3f575138b816da74697bd506682574742fcd
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< a8a8ae303a8395cbac270b5b404d85df6ec788f8
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< ca042cc0e4f9e0d2c8f86dd67e4b22f30a516a9b
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 8ed0e9d2f410f63525afb8351181eea36c80bcf1
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 33cc29e221df7a3085ae413e8c26c4e81a151153
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 15a9605f8d69dc85005b1a00c31a050b8625e1aa

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.134`	unaffected	≤ 6.1.*
`6.6.87`	unaffected	≤ 6.6.*
`6.12.23`	unaffected	≤ 6.12.*
`6.13.11`	unaffected	≤ 6.13.*
`6.14.2`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the ksmbd use‑after‑free fix; the patch is available in mainline kernel commits.
If SMB server functionality is not required, disable the ksmbd module (e.g., by omitting it from the kernel config or setting 'ksmbd=off' on boot).
If an immediate kernel upgrade is not possible, restrict SMB traffic to trusted IP addresses and monitor for abnormal session activity.

Generated by OpenCVE AI on April 28, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4193-1	linux-6.1 security update
Debian DSA	DSA-5907-1	linux security update
EUVD	EUVD-2025-11254	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection.
Ubuntu USN	USN-7594-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7594-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7594-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7605-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7605-2	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-7606-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7628-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7835-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7835-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7835-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7835-4	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7835-5	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7835-6	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7887-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7887-2	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7940-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7940-2	Linux kernel (Azure, N-Series) vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://git.kernel.org/stable/c/15a9605f8d69dc85005b1a00c31a050b8625e1aa
https://git.kernel.org/stable/c/33cc29e221df7a3085ae413e8c26c4e81a151153
https://git.kernel.org/stable/c/8ed0e9d2f410f63525afb8351181eea36c80bcf1
https://git.kernel.org/stable/c/a8a8ae303a8395cbac270b5b404d85df6ec788f8
https://git.kernel.org/stable/c/ca042cc0e4f9e0d2c8f86dd67e4b22f30a516a9b
https://git.kernel.org/stable/c/f0eb3f575138b816da74697bd506682574742fcd
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lore.kernel.org/linux-cve-announce/2025041600-CVE-2025-22041-6dbd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-22041
https://www.cve.org/CVERecord?id=CVE-2025-22041

History

Thu, 02 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Fri, 25 Apr 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Mon, 21 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 17 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041600-CVE-2025-22041-6dbd@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-22041 https://www.cve.org/CVERecord?id=CVE-2025-22041
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 16 Apr 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_sessions_deregister() In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection.
Title		ksmbd: fix use-after-free in ksmbd_sessions_deregister()
References		https://git.kernel.org/stable/c/15a9605f8d69dc85005b1a00c31a050b8625e1aa https://git.kernel.org/stable/c/33cc29e221df7a3085ae413e8c26c4e81a151153 https://git.kernel.org/stable/c/8ed0e9d2f410f63525afb8351181eea36c80bcf1 https://git.kernel.org/stable/c/a8a8ae303a8395cbac270b5b404d85df6ec788f8 https://git.kernel.org/stable/c/ca042cc0e4f9e0d2c8f86dd67e4b22f30a516a9b https://git.kernel.org/stable/c/f0eb3f575138b816da74697bd506682574742fcd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-16T14:11:58.250Z

Updated: 2026-04-02T08:39:30.200Z

Reserved: 2024-12-29T08:45:45.809Z

Link: CVE-2025-22041

Vulnrichment

Updated: 2025-11-03T19:41:23.122Z

NVD

Status : Modified

Published: 2025-04-16T15:15:56.693

Modified: 2026-04-02T09:16:18.660

Link: CVE-2025-22041

Redhat

Severity : Low

Publid Date: 2025-04-16T00:00:00Z

Links: CVE-2025-22041 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object